Allow Web Page To Be Rendered Inside HTML Frame

haizpt picture haizpt · Jan 21, 2015 · Viewed 22k times · Source

I have two web applications: web application (web-app) and report web. I want to embedded report web in web-app in a <iframe>. So it refused by Browser with the error:

X-Frame-Options: DENY

Any help?

Answer

m c picture m c · Jan 27, 2015

The value of X-Frame-options can be DENY (default), SAMEORIGIN, and ALLOW-FROM uri. According to Spring Security documentation you can tell Spring to overwrite the default behaviour adding your custom header that way:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .headers()
            .addHeaderWriter(new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.yourhostname.com"))))
    ...
}

and Spring shall append X-Frame-Options: ALLOW-FROM ... or

 .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

for X-Frame-Options: SAMEORIGIN or make it completely disable by

http.headers().frameOptions().disable()